Program Risk, Issue and Opportunity Management for Defense Contractors: A primer.

Written By Lauren Fenley

I want to be a program risk manager when I grow up, said no child ever. Risk, issue and opportunity (RIO) management isn’t sexy, but its a critical element to success on your programs. Without it, you’re flying blind and missing the whole picture of what might come bite you on your programs.

The purpose of this article is to explain why program RIO management matters, what it is and what organizations it applies to (spoiler alert, it’s all of them).

Why is RIO management important and why should you care?

Programs that have a strong RIO management culture (strategy, processes, plans and systems):

  • Deliver successful products

  • Save money

  • Save time

  • Strengthen their company’s reputation

  • Capitalize on opportunities

  • Earn more money

  • Win more work

Programs that don’t have a strong risk management culture:

  • Struggle to deliver successful products or services

  • Lose money

  • Are often behind schedule

  • Don’t get follow on work

RIO management is so important that the Department of Defense has its own 152 page guidebook covering the subject, the Defense Acquisition University has a community of practice for it, and the Project Management Institute (PMI) has a Risk Management Professional (RMP) credential to certify individuals to manage risk in portfolios, programs and projects. RIO management is often part of the selection criteria for proposals and has specific deliverables included in the SDRLs and CDRLs for contracts.

What is Program RIO Management?

First some definitions:

  • Risk – an event that if it happens will negatively impact your program’s cost, schedule, or performance.

  • Issue – an event that has happened and is negatively impacting your program’s cost, schedule, or performance.

  • Opportunity – an event that if it happens will positively impact your program’s cost, schedule, or performance.

Program risk, issue and opportunity management is how a program plans RIO management and identifies, analyzes, responds to and monitors RIOs to ensure that it meets its required performance, cost, and schedule.  

At a fundamental level it consists of the 5 steps shown in the graphic below:

Excelling at program RIO management requires more than just having a process. It requires the organization to adopt a risk based culture that thinks strategically about risk and integrates that thinking at all levels. This enables them to deliver products and services that meet the customer’s technical requirements, on time, and on budget. More on risk culture another time.

Who should have program risk management systems?

ALL companies who have programs with the DoD:

  • Large businesses

  • Small businesses

  • Service based

  • Product based

  • Ect ect ect

The scale of their risk management programs will vary as will the common types of risks. Ie. Risk of supplier delivering non-conforming parts for a major development program vs. risk of having all the right software developers at the right time for an engineering services contract.

However, the principles are the same, and if you don’t implement a formal method of managing your risks, issues and opportunities you will miss things and it will cost you performance, time or money.

 

Lauren Fenley
Previous

How to write a Risk, Issue and Opportunity Management Plan
Next

How to Choose a Leadership Development Program